[PATCH 1/1] ntdll: Return STATUS_ACCESS_VIOLATION if ret_len is not writable

14 Mar 2025

From: Dylan Donnell dylan.donnell@student.griffith.ie
---
 dlls/ntdll/unix/thread.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/dlls/ntdll/unix/thread.c b/dlls/ntdll/unix/thread.c
index b64a7dd40af..eb94b21032f 100644
--- a/dlls/ntdll/unix/thread.c
+++ b/dlls/ntdll/unix/thread.c
@@ -2040,9 +2040,23 @@ NTSTATUS WINAPI NtQueryInformationThread( HANDLE handle, THREADINFOCLASS class,
                                           void *data, ULONG length, ULONG *ret_len )
 {
     unsigned int status;
+    MEMORY_BASIC_INFORMATION memory_info;
TRACE("(%p,%d,%p,%x,%p)\n", handle, class, data, (int)length, ret_len);
+    if (ret_len)
+    {
+        /* check whether ret_len is writable */
+        if (NtQueryVirtualMemory( GetCurrentProcess(), ret_len, MemoryBasicInformation, &memory_info, sizeof(memory_info), NULL ) != STATUS_SUCCESS) 
+        {
+            return STATUS_ACCESS_VIOLATION;
+        }
+        if (!(memory_info.Protect & (PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY))) 
+        {
+            return STATUS_ACCESS_VIOLATION;
+        }
+    }
+
     switch (class)
     {
     case ThreadBasicInformation:
-- 
GitLab

https://gitlab.winehq.org/wine/wine/-/merge_requests/7579

    